Security issue details

There is a serious security hole found in aMember Pro. It affects all aMember Pro versions from 2.4.1 to 3.0.8. It is absolutely NECESSARY to take actions agains this and protect your aMember installation. Below are steps to follow. Please note that not all steps are necessary. In fact, if you follow just one step completely - you are safe. But to be sure, we recommend you to follow at least first step. We understand that upgrading to latest version is not easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. If you've followed first step, upgrade is not required.

NOTE

Please change all your passwords related with web-site. Go to webhosting control panel and change your account password. Login into aMember and change admin password (it is done on aMember CP -> Admin Accounts or at aMember Cp -> Setup). Login into CGI-Central members area and change your password as well.

GOAL

It is necessary to prevent third-party from accessing .inc.php files in amember/ folder when register_globals is enabled. If register_globals is disabled, OR .inc.php files cannot be accessed, hack is impossible. It is also possible to alter files (with upgrade to 2.3.8), then hack will be impossible even if .inc.php are accessed when register_globals is enabled. In most of today installations register_globals is disabled, so your site cannot be hacked. But it is better to setup protection anyway, just to be sure.

METHODS OF PROTECTION

METHOD 1 - DELETE VULNERABLE FILES

It is very easy and it is RECOMMENDED method of protection. You don't need to download latest version to apply it.

There is just a few vulnerable files, and in fact these files are not needed for most installations of aMember. If you are not using PayPal PRO, SecPay and PaymeNow payment processors, you can safely delete the following files from your installation and you're all set.

amember/plugins/payment/paymenow/config.inc.php
amember/plugins/payment/paymenow/paymenow.inc.php
amember/plugins/payment/paypal_pro/paypal_pro.inc.php
amember/plugins/payment/secpay/secpay.inc.php
amember/plugins/payment/secpay/config.inc.php
amember/plugins/payment/manual_cc/config.inc.php

If you have version of aMember older than 3.0.8 and some files are not present in your installation, it is OK. Just delete files that are exists in your installation.

METHOD 2. SECURING EXISTING INSTALLATION

This method is little more complicated, however you don't need to download latest version and you don't need upgrade to apply it.

Please do the following:

login into you aMember Admin CP, go to Version Info,
seek for word "register_globals" - you will see if it is enabled (On) or disabled (Off).

If you see "Off" in "Local Value" column (left), your system is secure and you don't need to install patches (which we will send tomorrow), or to take any other actions.
If you see "On" in "Local Value" column (left), your system is under risk, and please follow instructions below.

In the text editor (Notepad, not MS Word!), create a file named

".htaccess" (yes, there is a DOT before htaccess - it is necessary part of the filename);

If you are on LunarPages, or you know that your hosting uses phpSuExec, jump to next paragraph. Insert the following text into the file:

php_flag register_globals off
<Files ~ "\.inc\.php$">
<Limit GET POST>
Order allow,deny
deny from all
</Limit>
</Files>

If you have uploaded one-line file as was recommened in first email notice, you may upload new .htaccess file as shown above, or just keep things as is. It is on your choice. Upload new file if you can.

With your favorite FTP software, upload ".htaccess" file to your

webserver, into amember/ folder (into the folder where you have aMember installed). It will disappear after uploading before many FTP clients consider such files hidden.

Goto aMember CP -> Version Info again. This time you should see "Off" opposite "register_globals" (in Local Value column). If so, your aMember is secure again and there is no security risk. If not, please read below:
If you get "Internal Server Error" or your site is hosted on LunarPages, try to to remove first line from .htaccess file. It will look like:

<Files ~ "\.inc\.php$">
<Limit GET POST>
Order allow,deny
deny from all
</Limit>
</Files> and upload it to amember/ folder over existing .htaccess file. Once it is done, try to access file http://www.yoursite.com/amember/plugins/db/mysql/mysql.inc.php It must be impossible and you will see "Access Denied" or "403" error messages. You should not see PHP error message, however. If you see "access denied" or "403" error message, you are protected from hack, even if register_globals is enabled.

If nothing from above advices helps, please contact your webhosting support and try to find out how to disable 'register_globals' PHP setting and/or deny access to '*.inc.php' files inside amember/ folder.
If nobody can help, please contact us via helpdesk

METHOD 3. UPGRADE TO aMEMBER 3.0.9

In fact, upgrade to 3.0.9 is only recommended for aMember Pro 3.0.8 and 3.0.7 customers. Only difference between 3.0.9 and 3.0.8 are security fixes. It is also necessary for those who are using PayPal PRO, PayMeNow and SecPay payment processors.

If nothing from above advices works for you, you may go another way. You may remove your existing installation of aMember and install new version. We don't recommend to do this if you have old or CUSTOMIZED version of aMember and if you did not plan upgrade before. Please note that upgrade will kill all previous customizations. Steps described above are quite enough to keep your installation safe. It is specially not recommended to upgrade right now, because we are planning new release of aMember soon. 3.0.9 is just a security bugfix release.

	Security issue details There is a serious security hole found in aMember Pro. It affects all aMember Pro versions from 2.4.1 to 3.0.8. It is absolutely NECESSARY to take actions agains this and protect your aMember installation. Below are steps to follow. Please note that not all steps are necessary. In fact, if you follow just one step completely - you are safe. But to be sure, we recommend you to follow at least first step. We understand that upgrading to latest version is not easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. If you've followed first step, upgrade is not required. NOTE Please change all your passwords related with web-site. Go to webhosting control panel and change your account password. Login into aMember and change admin password (it is done on aMember CP -> Admin Accounts or at aMember Cp -> Setup). Login into CGI-Central members area and change your password as well. GOAL It is necessary to prevent third-party from accessing .inc.php files in amember/ folder when register_globals is enabled. If register_globals is disabled, OR .inc.php files cannot be accessed, hack is impossible. It is also possible to alter files (with upgrade to 2.3.8), then hack will be impossible even if .inc.php are accessed when register_globals is enabled. In most of today installations register_globals is disabled, so your site cannot be hacked. But it is better to setup protection anyway, just to be sure. METHODS OF PROTECTION METHOD 1 - DELETE VULNERABLE FILES It is very easy and it is RECOMMENDED method of protection. You don't need to download latest version to apply it. There is just a few vulnerable files, and in fact these files are not needed for most installations of aMember. If you are not using PayPal PRO, SecPay and PaymeNow payment processors, you can safely delete the following files from your installation and you're all set. `amember/plugins/payment/paymenow/config.inc.php` `amember/plugins/payment/paymenow/paymenow.inc.php` `amember/plugins/payment/paypal_pro/paypal_pro.inc.php` `amember/plugins/payment/secpay/secpay.inc.php` `amember/plugins/payment/secpay/config.inc.php` `amember/plugins/payment/manual_cc/config.inc.php` If you have version of aMember older than 3.0.8 and some files are not present in your installation, it is OK. Just delete files that are exists in your installation. METHOD 2. SECURING EXISTING INSTALLATION This method is little more complicated, however you don't need to download latest version and you don't need upgrade to apply it. Please do the following: login into you aMember Admin CP, go to Version Info, seek for word "register_globals" - you will see if it is enabled (On) or disabled (Off). If you see "Off" in "Local Value" column (left), your system is secure and you don't need to install patches (which we will send tomorrow), or to take any other actions. If you see "On" in "Local Value" column (left), your system is under risk, and please follow instructions below. In the text editor (Notepad, not MS Word!), create a file named ".htaccess" (yes, there is a DOT before htaccess - it is necessary part of the filename); If you are on LunarPages, or you know that your hosting uses phpSuExec, jump to next paragraph. Insert the following text into the file: `php_flag register_globals off` `<Files ~ "\.inc\.php$">` `<Limit GET POST>` `Order allow,deny` `deny from all` `</Limit>` `</Files>` If you have uploaded one-line file as was recommened in first email notice, you may upload new .htaccess file as shown above, or just keep things as is. It is on your choice. Upload new file if you can. With your favorite FTP software, upload ".htaccess" file to your webserver, into amember/ folder (into the folder where you have aMember installed). It will disappear after uploading before many FTP clients consider such files hidden. Goto aMember CP -> Version Info again. This time you should see "Off" opposite "register_globals" (in Local Value column). If so, your aMember is secure again and there is no security risk. If not, please read below: If you get "Internal Server Error" or your site is hosted on LunarPages, try to to remove first line from .htaccess file. It will look like: `<Files ~ "\.inc\.php$">` `<Limit GET POST>` `Order allow,deny` `deny from all` `</Limit>` `</Files>` and upload it to amember/ folder over existing .htaccess file. Once it is done, try to access file http://www.yoursite.com/amember/plugins/db/mysql/mysql.inc.php It must be impossible and you will see "Access Denied" or "403" error messages. You should not see PHP error message, however. If you see "access denied" or "403" error message, you are protected from hack, even if register_globals is enabled. If nothing from above advices helps, please contact your webhosting support and try to find out how to disable 'register_globals' PHP setting and/or deny access to '*.inc.php' files inside amember/ folder. If nobody can help, please contact us via helpdesk METHOD 3. UPGRADE TO aMEMBER 3.0.9 In fact, upgrade to 3.0.9 is only recommended for aMember Pro 3.0.8 and 3.0.7 customers. Only difference between 3.0.9 and 3.0.8 are security fixes. It is also necessary for those who are using PayPal PRO, PayMeNow and SecPay payment processors. If nothing from above advices works for you, you may go another way. You may remove your existing installation of aMember and install new version. We don't recommend to do this if you have old or CUSTOMIZED version of aMember and if you did not plan upgrade before. Please note that upgrade will kill all previous customizations. Steps described above are quite enough to keep your installation safe. It is specially not recommended to upgrade right now, because we are planning new release of aMember soon. 3.0.9 is just a security bugfix release.
Username: Password:
Copyright (C) 2005 AMEMBER.com. All Rights Reserved. Partners - Affiliate Program - Privacy policy - License agreement - Sales & Refund policy